Open-event-server: Organizer should be able to download tickets of attendees
Organizers should have access to download tickets of attendees of their own events.
ShridharGoel
All 32 comments
@ShridharGoel The recent ticketing refactor made it point to a different link. Will fix this.
static/media should be replaced with generated/
mrsaicharan1
on 29 May 2019
@ShridharGoel This issue is not present locally.
mrsaicharan1
on 29 May 2019
Just checked, the URL for new attendees is having generated instead of static/media but still the link is not working. Did you try to open the link?
ShridharGoel
on 29 May 2019
@ShridharGoel You can't access the tickets directly. The request going to that link must have certain authorisation headers attached to access it. This was a security refactor on the server to prevent access to the unauthorized personnel.
mrsaicharan1
on 29 May 2019
@mrsaicharan1 Yes I'm providing JWT authorization token in the Headers.
ShridharGoel
on 29 May 2019
The link is being fetched properly. It's just that it's not opening.
ShridharGoel
on 29 May 2019
Yeah, I go that. But the mechanism the server is in such a way that a current_user proxy must be present. What is the exact error NotFound or Unauthorized?
mrsaicharan1
on 29 May 2019
@mrsaicharan1
ShridharGoel
on 29 May 2019
try:
order = Order.query.filter_by(identifier=order_identifier).first()
user_id = order.user.id
except NoResultFound:
return NotFoundError({'source': ''}, 'This ticket is not associated with any order').respond()
@ShridharGoel So basically, either the order_identifier which you are passing is wrong or the order isn't going through and isn't saved on the db. I'm able to obtain the tickets through the frontend
@iamareebjamal Can you confirm?
mrsaicharan1
on 29 May 2019
@ShridharGoel Please post the URL here
iamareebjamal
on 29 May 2019
ShridharGoel
on 29 May 2019
I'm able to obtain the tickets through the frontend
@mrsaicharan1 Please send link of that PDF
ShridharGoel
on 29 May 2019
@mrsaicharan1 Please check if you can dowwnload the PDF. @ShridharGoel, we'll also need your JWT to test the link
iamareebjamal
on 29 May 2019
I can download from the front-end
On Wed, 29 May 2019 at 12:44 PM, Areeb Jamal notifications@github.com
wrote:
@mrsaicharan1 https://github.com/mrsaicharan1 Please check if you can
dowwnload the PDF—
You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub
https://github.com/fossasia/open-event-server/issues/5968?email_source=notifications&email_token=AGAHUW5RLQFCHND47GZ67RLPX26G5A5CNFSM4HQMX6V2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWQDNDA#issuecomment-497038988,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AGAHUW4LL5DLOJQQ5OS6L6LPX26G5ANCNFSM4HQMX6VQ
.
mrsaicharan1
on 29 May 2019
@mrsaicharan1 I'm talking about the link shared here
iamareebjamal
on 29 May 2019
NO, @iamareebjamal .
need jwt headers @ShridharGoel
mrsaicharan1
on 29 May 2019
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTkxNTgyMTQsImlhdCI6MTU1OTA3MTgxNCwibmJmIjoxNTU5MDcxODE0LCJpZGVudGl0eSI6NH0.ekLj24ie4a_RDPCVurL1dpsCSpjRQJzbtoGTYgsbt_U
ShridharGoel
on 29 May 2019
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NTkxNTgyMTQsImlhdCI6MTU1OTA3MTgxNCwibmJmIjoxNTU5MDcxODE0LCJpZGVudGl0eSI6NH0.ekLj24ie4a_RDPCVurL1dpsCSpjRQJzbtoGTYgsbt_U
Yeah, 404 not found.
mrsaicharan1
on 29 May 2019
So this issue is valid then
iamareebjamal
on 29 May 2019
How is it related to the JWT token? Shouldn't the direct link to download be working anyways?
ShridharGoel
on 29 May 2019
No, I shouldn't be able to download your ticket
iamareebjamal
on 29 May 2019
@ShridharGoel You can't access the tickets directly. The request going to that link must have certain authorisation headers attached to access it. This was a security refactor on the server to prevent access to the unauthorized personnel.
This ^ @ShridharGoel
mrsaicharan1
on 29 May 2019
No, I shouldn't be able to download your ticket
But organizers can download the tickets of the attendees of their event, right?
ShridharGoel
on 29 May 2019
No, I shouldn't be able to download your ticket
But organizers can download the tickets of the attendees of their event, right?
I think a new endpoint is required for that where they can download individual/all tickets.
mrsaicharan1
on 29 May 2019
No, I shouldn't be able to download your ticket
But organizers can download the tickets of the attendees of their event, right?
I think a new endpoint is required for that where they can download individual/all tickets.
Actually, the links of the PDFs of attendees are being provided to the organizer in the Orga App. Due to the recent security changes, this functionality might have changed because of which the links can no longer be accessed by the organizers. Although, in the present case, I'm not able to download my own tickets too using the Attendee App.
ShridharGoel
on 29 May 2019
@ShridharGoel That's because attendee app has not implemented the security changes.
@mrsaicharan1 No need for new endpoint, just change the added check that allows organizer to download the ticket as well
iamareebjamal
on 30 May 2019
@ShridharGoel So the main problem here is, you're not able to download your own ticket right
?
mrsaicharan1
on 10 Jun 2019
@mrsaicharan1 I am able to download my own ticket from the frontend, but not from the attendee app. That might be because the attendee app has not implemented the security changes as @iamareebjamal mentioned above.
The change required is that the organizers should be able to download the tickets of the attendees of their events as well.
ShridharGoel
on 10 Jun 2019
Alright.
On Mon, 10 Jun 2019 at 11:07 AM, Shridhar Goel notifications@github.com
wrote:
@mrsaicharan1 https://github.com/mrsaicharan1 I am able to download my
own ticket from the frontend, but not from the attendee app. That might be
because the attendee app has not implemented the security changes as
@iamareebjamal https://github.com/iamareebjamal mentioned above.The change required is that the organizers should be able to download the
tickets of the attendees of their events as well.—
You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub
https://github.com/fossasia/open-event-server/issues/5968?email_source=notifications&email_token=AGAHUWZVRMJ4D26BSBZ2ZYDPZZ327A5CNFSM4HQMX6V2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXKKMYA#issuecomment-500475488,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AGAHUW27P7CEJ4WF6OU46H3PZZ327ANCNFSM4HQMX6VQ
.
mrsaicharan1
on 10 Jun 2019
Just change the issue name and will work on this.
On Mon, 10 Jun 2019 at 11:07 AM, saicharan reddy saicharan.reddy1@gmail.com
wrote:
Alright.
On Mon, 10 Jun 2019 at 11:07 AM, Shridhar Goel notifications@github.com
wrote:@mrsaicharan1 https://github.com/mrsaicharan1 I am able to download my
own ticket from the frontend, but not from the attendee app. That might be
because the attendee app has not implemented the security changes as
@iamareebjamal https://github.com/iamareebjamal mentioned above.The change required is that the organizers should be able to download the
tickets of the attendees of their events as well.—
You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub
https://github.com/fossasia/open-event-server/issues/5968?email_source=notifications&email_token=AGAHUWZVRMJ4D26BSBZ2ZYDPZZ327A5CNFSM4HQMX6V2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXKKMYA#issuecomment-500475488,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AGAHUW27P7CEJ4WF6OU46H3PZZ327ANCNFSM4HQMX6VQ
.
mrsaicharan1
on 10 Jun 2019
Updated.
ShridharGoel
on 10 Jun 2019
Related issues
Aju100
·
4Comments
CosmicCoder96
·
4Comments
mariobehling
·
4Comments
iamareebjamal
·
4Comments
shubham-padia
·
4Comments